SELinux

From Request Tracker Wiki
Jump to: navigation, search

What Is This?

Security-enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism.This

mechanism is in the Linux kernel, checking for allowed operations after standard Linux discretionary
access controls are checked.

For more information check the SELinux Guide provided by RedHat.

Simple

This cargo-culted command from a Rails tutorial worked for me under RHEL 4:

chcon -Rv user_u:object_r:httpd_user_content_t /opt/rt3/var/

The above was all that was required to get RT 3.8 running under SELinux for me, until the machine became its own (primary, and no longer relaying) mail server. At that point RT began trying to exec sendmail, which in my config was a link since I was running postfix. Notifications went undelivered and messages showed:

Nov 8 18:48:47 rt kernel: audit(1226188127.916:114): avc: denied { read } for pid=10271 comm="httpd.worker" name="sendmail" dev=dm-0 ino=4464227 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:sbin_t tclass=lnk_file

My solution was to hardlink /usr/sbin/sendmail.postfix to /usr/sbin/sendmail

Under Scientific Linux release 6.2 (Carbon) running rt4, the chcon command needed another SELinux context:

chcon -Rv user_u:object_r:httpd_user_content_t:s0 /opt/rt4/var/

Thorough

start of information regarding creating a selinux policy for FC4 and RT

cd /etc/selinux/targeted/src/policy

vi domains/misc/local.te

add...

allow httpd_t httpd_log_t:dir create;

allow httpd_t httpd_tmp_t:sock_file { create setattr unlink write };
allow httpd_t httpd_log_t:sock_file { create setattr unlink write };

then

make load

use audit2allow to convert the stuff from dmesg or /var/log/messages to that format.

also need to figure out how to set the context of files, because the stuff in $RT/var needs to be writable by the httpd_t process.

Here are my changes for running RT 3.4.5 under FC4 and SE Linux. I have rt installed in /srv/rt3 and mysql in /srv/mysql:

local.te:

allow httpd_t httpd_sys_script_t:process { noatsecure rlimitinh siginh };

allow httpd_t nscd_var_run_t:dir search;

allow httpd_sys_script_t devlog_t:sock_file write;

allow httpd_sys_script_t httpd_log_t:file ioctl;
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr ioctl shutdown read write };
allow httpd_sys_script_t mail_spool_t:dir search;
allow httpd_sys_script_t mqueue_spool_t:file read;
allow httpd_sys_script_t mysqld_db_t:lnk_file read;
allow httpd_sys_script_t nscd_var_run_t:dir search;
allow httpd_sys_script_t self:unix_dgram_socket { create connect ioctl write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_sys_script_t system_mail_t:process { noatsecure rlimitinh siginh };
allow httpd_sys_script_t var_log_t:file { append ioctl };

allow system_mail_t httpd_log_t:file { append getattr };

allow system_mail_t httpd_sys_script_t:unix_stream_socket { read write };
allow system_mail_t httpd_t:unix_stream_socket { read write };
allow system_mail_t nscd_var_run_t:dir search;

local.fc:

/srv system_u:object_r:root_t

/srv/mysql(/.*)?            system_u:object_r:mysqld_db_t
/srv/mysql/mysql.sock -s   system_u:object_r:mysqld_var_run_t

/srv/rt3 system_u:object_r:httpd_sys_content_t

/srv/rt3/bin(/.)?          system_u:object_r:httpd_sys_script_exec_t
/srv/rt3/etc(/.)?                              system_u:object_r:httpd_sys_content_t
/srv/rt3/lib(/.)?          system_u:object_r:httpd_sys_content_t
/srv/rt3/local(/.)?                    system_u:object_r:httpd_sys_content_t
/srv/rt3/sbin                           root:object_r:default_t
/srv/rt3/share(/.)?        system_u:object_r:httpd_sys_content_t
/srv/rt3/var                            system_u:object_r:httpd_sys_content_t
/srv/rt3/var/mason_data(/.)?   system_u:object_r:httpd_sys_content_t

See also

The PostQuestionsHere page for some SELinux answers.